Cisco has disclosed a new maximum-severity security vulnerability impacting Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could permit an attacker to execute arbitrary code on the underlying operating system with elevated privileges.
Tracked as CVE-2025-20337, the shortcoming carries a CVSS score of 10.0 and is similar to CVE-2025-20281, which was patched by the networking equipment major late last month.
“Multiple vulnerabilities in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit these vulnerabilities,” the company said in an updated advisory.
“These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.”
Kentaro Kawane of GMO Cybersecurity has been credited with discovering and reporting the flaw. Kawane was previously acknowledged for two other critical Cisco ISE flaws (CVE-2025-20286 and CVE-2025-20282) and another critical bug in Fortinet FortiWeb (CVE-2025-25257)
CVE-2025-20337 affects ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration. It does not impact ISE and ISE-PIC release 3.2 or earlier. The issue has been patched in the following versions –
- Cisco ISE or ISE-PIC Release 3.3 (Fixed in 3.3 Patch 7)
- Cisco ISE or ISE-PIC Release 3.4 (Fixed in 3.4 Patch 2)
There is no evidence that the vulnerability has been exploited in a malicious context. That said, it’s always a good practice to ensure that systems are kept up-to-date to avoid potential threats.
The disclosure comes as The Shadowserver Foundation reported that threat actors are likely exploiting publicly released exploits associated with CVE-2025-25257 to drop web shells on susceptible Fortinet FortiWeb instances since July 11, 2025.
As of July 15, there are estimated to be 77 infected instances, down from 85 the day before. The majority of the compromises are concentrated around North America (44), Asia (14), and Europe (13).
Data from the attack surface management platform Censys shows that there are 20,098 Fortinet FortiWeb appliances online, excluding honeypots, although it’s currently not known how many of these are vulnerable to CVE-2025-25257.
“This flaw enables unauthenticated attackers to execute arbitrary SQL commands via crafted HTTP requests, leading to remote code execution (RCE),” Censys said.
